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The Challenge with PCI-DSS Compliance 

Many organisations struggle to balance business priorities, 
organisational risk and allocate sufficient time and resources 
to address the twelve requirements under PCI-DSS. 

Often, PCI-DSS compliance improvement initiatives take a back seat. 
Threats of fines or damage to business reputation is the motivator. 
Since 2007, many business and IT budgets have been reduced. 
But the compliance burden has increased, and not just for PCI-DSS. 

Tokenisation is a technology solution gaining adoption. 




PCI-DSS Requirements 

Build and Maintain a Secure Network 

1. Install and maintain a firewall configuration to protect cardholder data. 

2. Do not use vendor-supplied defaults for system passwords and other security parameters. 

Protect Cardholder Data 

3. Protect stored cardholderdata 

4. Encrypt transmission of cardholder data across open, public networks 

Maintain a Vulnerability Management Program 

5. Use and regularly update anti-virus software or programs 

6. Develop and maintain secure systems and applications 
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PCI-DSS Requirements (continued) 

Implement Strong Access Control Measures 

7. Restrict access to cardholder data by business need-to-know 

8. Assign a unique ID to each person with computer access 

9. Restrict physical access to cardholderdata 

Regularly Monitor and Test Networks 

10. Track and monitor all access to network resources and cardholder data 

11. Regularly test security systems and processes 

Maintain an Information Security Policy 

12. Maintain a policy that addresses information security for all personnel 




Payment Card Process 

P ayment Bra nd Netuwrk 
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Cardholders Merchants 
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Track 1 Data (Format B) Example 
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What exactly is Tokenisation? 

Tokenisation is the process of substituting sensitive information with alternate data that 
has no intrinsic value outside the environment for which it was intended. 

Tokenisation can be used to secure more than just payment card information. It can also be 
used for securing medical records, classified data, bank records and other types of sensitive 



Tokenisation is not to be confused with other forms of tokens © 



Why select tokenisation over encryption? 
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The Difference between Encryption and Tokenisation 

Encrypted data is a scrambled version of the original content, 
in contrast to a token, which is a surrogate value. 

The power of tokenisation is that although the token is usable 
within its native application environment, it is completely 
useless elsewhere! 




The Benefits of Tokenisation over Encryption 

The benefits of tokenisation include: 

Protects data at a (potentially) lower overall cost (needs to be validated). 

Data can be substituted like-for-like, or format-preserving. 

Most business processes can use the token and limit access to the sensitive data. 

The downsides with encryption include: 

Retrofitting encryption to existing systems can be costly and increase operational risk. 
Incorporating encryption processes within an application can impact system performance. 
Programmers may need to up-skill to incorporate encryption processes. 
Encryption, decryption and re-encryption at different points means more attack points. 
Increased overhead with key management. 
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Does this mean I don't require encryption? 

Encryption is still required for: 

Secure message transmission (sending and receiving email between sites with TLS). 

Secure file transfer (SFTP). 

Secure sessions (SSH). 

Replication of sensitive information between data centres. 

PIN lifecycle management. 

Information that cannot be tokenised. 



As an alternative to tokenisation, Point-to-Point Encryption (P2PE) can be deployed from the 
terminal and decrypted at the payment processor - there isn't any decryption in between 
because the merchant can't access the keys used by the payment service. 




Examples of Tokenisation 



Credit Card Information: 
PAN 


5353-1610-0001-0373 


0566-27ab-cd36-0373 


Health Record: 
Blood Alcohol Level 


0.14 


*0n* 


Classified Data: 
Grid Location 


28° V S / 153° 25' E 


#121# / #5xy# 
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How popular is Tokenisation? 



on 



According to a recent Gartner survey completed in early 2011, 
approximately half of the U.S. retailers surveyed were, at that 
time, using or planning to use tokenisation or end-to-end 
encryption within two years. 

The key driver for considering or adopting tokenisation was to 
improve compliance with PCI-DSS whilst minimising 
disruptions to business processes due to improvement 
activities. 

Source: Gartner Survey: Challenged U.S. Firms Seek Alternative PCI-Compliance Solutions (Article ID: G00214003) 




Why implement Tokenisation for PCI-DSS? 

The ongoing compliance requirement means every system or 
component that processes or stores payment card data must 
be audited. As companies grow, so too does the audit scope! 

When payment card data is completely replaced with tokens, 
almost half the security checks from PCI-DSS no longer apply: 

Database encryption, key management and other controls may no longer be required. 
However, the tokenisation system still needs to be deployed and managed. 
This may either be managed in-house or via a managed security service provider. 
The tokenisation system uses encryption and needs to be fully compliant. 
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PCI SSC Characteristics for Tokenisation Solutions 

The PCI SSC, outlines eight characteristics that tokenisation 
solutions must meet according to its guideline: 

1. Tokenisation systems must not reverse tokens to credit card numbers for any component outside of the 
organisation's cardholder data environment. 

2. Systems performing the tokenisation must be on secure internal networks that are isolated from out-of-scope 
networks. 

3. Untrusted communication must be prohibited in and out of the tokenisation system. 

4. The solution must be built upon strong cryptography. 

5. The solution must meet the access control and authentication requirements in PCI-DSS sections 7 and 8. 

6. The solution must be securely configured with vulnerabilities remediated. 

7. The solution must implement the organisation's data retention policy by securely deleting cardholder data 
when it is no longer necessary for meeting business requirements. 

8. The solution must provide appropriate monitoring, alerting and logging capabilities. 




Characteristics of a good Token design 

The same number of digits as for a PAN, i.e. 15, 16 or 19. 
There is some card number preservation, i.e. last 4 digits. 
The tokenised number should not start with any of the 
major brand numbers, i.e. 3, 4, 5 or 6. 
The tokenised number will always fail a mod 10 check. 
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What are the business requirements for Tokens? 



Transactional 

A unique token is generated for each transaction. 
Will have different values for a single payment card. 

Card-based 

A single token is generated for each payment card. 
Will have multipletransactionsstored per card. 

Issues to consider 

Token Collisions 
Token Lifetime 




Components of a Tokenisation System 

Secure server environment 

- A tokenisation system needs good physical and logical controls. 

- The entity managing the tokenisation system needs to provide this assurance. 

- This can be managed in-house or as a managed service. 

- Don't forget all of the supporting and underpinning services! 

Token vault (database) with hash table 

- The hash table is the glue that matches each piece of sensitive data to a token. 

- Access to the tokenisation system to tokenise and detokenise data. 

- Access to the operating system and other infrastructure. What operations are allowed? 

- The token vault can also be split from the hash table. 
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Token Server Deployment Example - In-house 
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Token Server Deployment Example - Managed Service 
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Token Server Deployment Example - Reduced Scope 
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PCI SSC Tokenisation Compliance Program 

The Compliance Program provides validated evidence about a 
product's features and capabilities: 

Compliance Effectiveness 

Product Capabilities Support 

Scope impact analysis and coverage 

Management and Usability 

Suitablefor Use In and Recommended Configuration 

Product Roadmap 
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Implementation Considerations 

Example Implementation Issues 

An organisation with 20+ payment card applications. 

Can all of the applications use tokenised values? 

Does it make sense to use tokenisation for all? 

What about sharing sensitive information? 

I still need to send information securely! 

May have to update security architecture to accommodate 




*B,AUSCERT 



The challenge with modifying applications 

Organisations baulk at modifying applications to encrypt and 
decrypt data. The solutions vary depending upon constraints 
and the maturity of an organisation to software development. 

Applications most likely need to be modified in some way to 
manage tokens instead of payment card data. 




Attacks on Tokenisation Systems 

When sensitive data is corralled into a single solution: 

Allows an attacker to focus his/her analysis and attacks on the tokenisation system in use. 
Can either be performed online or offline. 

To minimise the likelihood of a successful attack, good 
implementations of tokenisation systems require: 

Authentication 
Authorisation 
Auditing 
Monitoring 
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Do I need to worry about all of this? 



It depends... 

Will tokenisation be completely managed in-house? 

Or by a third-party, Tokenisation-as-a-Service (TaaS)? 

Outside North America, TaaS is not a well-known service offering. 

Your organisation may be an early adopter in Australia. 

Can all of my applications be updated to use tokens? 

My organisation is undergoing a change... 




How do I determine if Tokenisation is viable? 

Analyse. Where is the data in transit, in use and at rest? 

- Analyse data flows for the payment card systems your organisation is responsible for. 

- Look at relationships with all entities in the extended enterprise (RACI model). 

Ask. Is tokenisation suitable for my organisation? 

- How many applications do I have that process payment card data? 

- Do any applications have restrictions with adoptingtokenisation? 

Act. Do something about it. 

- Start putting up the business case to move towards tokenisation; or 

- Place tokenisation on your strategy & architecture roadmap. 
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Is Tokenisation a Silver Bullet? 

It depends upon: 

- Business type and size. 

- Complexity of existing payment card applications. 

- Risk appetite for organisational change. 




A good quote 



Many people view tokenisation as a silver bullet for protecting data or achieving compliance, 
when, in reality, it is an implementation approach that should be considered as a possible part 
of your overall data protection strategy. Tokenisation only makes sense when you integrate 
encryption, secure key management and access control, as they are critical components to a 
comprehensive data protection strategy. Ultimately, there are still many instances where 
(sensitive) data needs to be moved throughout an enterprise and accessed; these are the 
challenges that tokenisation doesn't really solve. 
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Summary of Tokenisation 



A disruptive technology that is still gaining traction. 

Costs may increase in some areas and decrease in others. 

PCI-DSS scope is reduced, but the tokenisation server/service is still in scope. 

Take-up in Australia is slow but should increase over the next five years. 

Will not replace encryption; they will both be required. 

Understand how tokenisation may benefit your organisation. 

Understand how tokenisation will impact your organisation if implemented. 

Should be considered and placed on your architectural roadmap. 

Implementation Guideline available from http://www.pcisecuritystandards.orR 

Talk to vendors and service providers, but do ask the hard questions! 
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